i’m going to protect my user application aginst Process Hacker and Task-manager(First Tab), i can protect user mode method by obcallback sample driver.
We saw in the dbgprint OperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess is 21410 from above tools and i dont know what access mask we should set for OperationInformation->Parameters->CreateHandleInformation.DesiredAccess or is there any other way to solve this problem?
How to protect my user mode application from killing by other kernel modules?
>How to protect my user mode application from killing by other kernel modules
You’re going to get quite a few “interesting” answers, I predict.
Anyhow… The real answer is “you can’t” – Code running in kernel-mode is part of the Trusted Computing Base. It’s the code that creates and enforces protection within the system. It’s not really possible, therefore, to protect stuff in the system FROM the code that does the protecting… you know?
Even if you could manage creating a System Protected Process, one could always write kernel-mode code that would set your nicely protected process to the state where it’s no longer protected.
So… you CAN’T protect your user mode application from being killed by some arbitrary kernel-mode module. Sorry.
lookup CreateEnclave in MSDN. while not supported on all systems, this can do something like what you are asking about. it is designed to hold encryption keys and the like, but can’t prevent process termination as that is fundamentally impossible
>You’re going to get quite a few “interesting” answers, I predict.
Actually, I was expecting to hear the requests concerning the OP’s name and company so that I was
rubbing my hands in anticipation. However,now am already not so optimistic about this part…
On Tue, Feb 27, 2018 at 5:45 AM, xxxxx@gmail.com
wrote: > i’m going to protect my user application aginst Process Hacker and Task-manager(First Tab), i can protect user mode method by obcallback sample driver. > > We saw in the dbgprint OperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess is 21410 from above tools and i dont know what access mask we should set for OperationInformation->Parameters->CreateHandleInformation.DesiredAccess or is there any other way to solve this problem? > > How to protect my user mode application from killing by other kernel modules? >
To me, the most direct route seems to be:
1) Reimplement Xen, or KVM. 2) Run the Windows kernel using your reimplementation. 3) It may be possible to use the VMM to help you enforce permissions, but it may not be. If not you will need to simulate bits of code to see if the conditions you do not want would occur.
Or:
1) Find a way to modify the kernel binary. 2) Write a bunch of code targetting undocumented APIs.
Plan A:shot down patchguard
u just need hook ntopenprocess(if just aginst Process Hacker and Task-manager
Plan A:VT-X syscall hook
take the MSR.and do anything